Topic 1 Question 17
3 つ選択A security engineer is working with a company to design an ecommerce application. The application will run on Amazon EC2 instances that run in an Auto Scaling group behind an Application Load Balancer (ALB). The application will use an Amazon RDS DB instance for its database. The only required connectivity from the internet is for HTTP and HTTPS traffic to the application. The application must communicate with an external payment provider that allows traffic only from a preconfigured allow list of IP addresses. The company must ensure that communications with the external payment provider are not interrupted as the environment scales. Which combination of actions should the security engineer recommend to meet these requirements?
Deploy a NAT gateway in each private subnet for every Availability Zone that is in use.
Place the DB instance in a public subnet.
Place the DB instance in a private subnet.
Configure the Auto Scaling group to place the EC2 instances in a public subnet.
Configure the Auto Scaling group to place the EC2 instances in a private subnet.
Deploy the ALB in a private subnet.
ユーザの投票
コメント(14)
- 正解だと思う選択肢: CE
This cannot possibly be an exam question. its poorly worded. None of the partial answers address the need to contol the outgoing connections IP addresses. If A placed the NAT in a public subnet with an elastic IP address attached, then we would have a valid solution
👍 6Ptol2024/06/25 - 👍 4aragon_saa2023/10/02
Keyword: " preconfigured allow list of IP addresses" However, the question missed an important detail alongside these keywords..that the communication has to be routed to a VPN and through a virtual private gateway (VGW). That's the only reason you can place NAT GW in a private subnet. Without that piece of detail, placing NAT GW seems unreasonable. Poorly written question, but if you considered that, A C E would make sense.
👍 4Raphaello2023/12/13
シャッフルモード